Bug 6088 - Implement "domain controller = no" when using an LDAP backend
Implement "domain controller = no" when using an LDAP backend
Status: RESOLVED INVALID
Product: Samba 3.2
Classification: Unclassified
Component: Nmbd
unspecified
All Linux
: P3 enhancement
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-04 13:21 UTC by David Markey
Modified: 2009-02-19 15:59 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Markey 2009-02-04 13:21:11 UTC
I would like an extra option in smb.conf for in the event that an LDAP backend is being used but you dont want that particular samba server to be a Domain Controller, just a file server.

I hope diagram explains the scenario.

http://www.dmarkey.com/~dmarkey/Diagram1.png

I have achieved this in a round about way. on the file server i disabled nmbd and on our WINS server i put an entry in for the file server as an ordinary file server not a DC.
Comment 1 Björn Jacke 2009-02-05 02:51:25 UTC
why not use security=domain, doesn't that do exactly what you want?
Comment 2 David Markey 2009-02-05 05:21:11 UTC
As far as i remember no it didnt, That requires a net join and the SID mapping would be done via winbind communicating to the domain controller? That causes problems because i need the uid/gid to be consistent, for that i'm using nssldap.


 
Comment 3 Björn Jacke 2009-02-06 05:56:40 UTC
you need no winbind, you can keep using ldapsam as passdb backend which pulls the SIDs out of LDAP. If you have problems setting up that, you should better discuss that on the samba mailing list. I'm closing this bug as there is obviously no defect and no missing feature in samba here ;-)
Comment 4 David Markey 2009-02-06 06:28:29 UTC
I discussed this on the mailing list before raising the bug and nobody could give me a solution that worked.
Comment 5 David Markey 2009-02-19 14:08:46 UTC
So getting back to this.

with this config:

[global]
        workgroup = CS
        netbios name = WESTMEATH
        security = domain
        server string = Storage Server
        encrypt passwords = Yes
        ldap passwd sync = yes
        interfaces = eth1 147.x.x.x/16
        bind interfaces only = yes
        password server = kerry
        log level = 3
        syslog = 0
        log file = /var/log/samba/log.%m
        mangling method = hash2
        domain logons = yes
        domain master = No
        preferred master = no
        wins server = xxx.xxx.xxx.xxx xxx.xxx.xxx,xxx
        passdb backend = ldapsam:ldaps://147.xxx.xxx.xxx
        ldap admin dn = cn=admin,dc=cs,dc=dit,dc=ie
        ldap suffix = dc=cs,dc=dit,dc=ie
        ldap group suffix = ou=group
        ldap user suffix = ou=user
        ldap machine suffix = ou=machine
        load printers = no
        create mask = 0640
        directory mask = 0750
        nt acl support = yes
        printing = none
        ldapsam:trusted = yes
        guest account = nobody
        map to guest = Bad User
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[tech]
        comment = Techshare
        path = /home/tech
        read only = No
        profile acls = yes
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
        browseable = no
        guest ok = no
        printable = no
        valid users= @tech
        hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
_____________________________________________________

According to what you said samba should not advertise itself as a domain controller, but it still does.


I've tried every combination of settings i can think of but i still cannot get the outcome i want.


Comment 6 Björn Jacke 2009-02-19 15:49:37 UTC
you tell em to by setting domain logons = yes ...
Comment 7 David Markey 2009-02-19 15:55:23 UTC
With domain controller = no.

Westmeath:~# net user -I Westmeath
Enter root's password:
Could not connect to server 147.xx.xx.xx
Connection failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO


And it creates it only sambaDomain object in LDAP


dn: sambaDomainName=WESTMEATH,dc=cs,dc=dit,dc=ie
sambaDomainName: WESTMEATH
sambaSID: S-1-5-21-911453016-1235691199-2814491779
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
structuralObjectClass: sambaDomain
entryUUID: 6d0db50e-930b-102d-80a7-4be67a57e353
creatorsName: cn=admin,dc=cs,dc=dit,dc=ie
createTimestamp: 20090219195831Z
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
entryCSN: 20090219195831.387671Z#000000#001#000000
modifiersName: cn=admin,dc=cs,dc=dit,dc=ie
modifyTimestamp: 20090219195831Z


Which is completely wrong.

it should be using sambaDomainName=CS,dc=cs,dc=dit,dc=ie
Comment 8 David Markey 2009-02-19 15:57:20 UTC
sorry that should be

And it creates it _own_ sambaDomain object in LDAP
Comment 9 David Markey 2009-02-19 15:59:30 UTC
sorry, with 

domain logons = no


I should really proof read my comments!